AMSI Byte Array Scanning

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AMSI Byte Array Scanning

L0 Member

Does anybody have a solution similar to Defender for Endpoint for using AMSI programmatically to scan incoming files? Essentially, we have a requirement to scan incoming files that are scanned prior to being sent along to their next hop. This all occurs in memory and never actually writes to the disk.

2 REPLIES 2

Community Team Member

Moving post to Cortex XDR for more visibility. 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L5 Sessionator

Hello @JAEvans ,

 

Cortex XDR being execution based detection we do  collect AMSI content scan events and use it for detection purposes. You can use below example XQL query to fetch AMSI data.
preset = xdr_event_log
| filter lowercase(action_evtlog_description) contains "amsi"
| filter lowercase(action_evtlog_username) not contains "system"

 

If the  malware plants in the memory and then executes which in turn comes to the surface, then the agent will prevent that attack

 

Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Ashutosh Patil
  • 428 Views
  • 2 replies
  • 0 Likes
  • 78 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!